Testing ping alert rule

noob_17 · July 27, 2022, 11:27am

Hi,

I created a simple rule just for testing purposes.

alert icmp $HOME_NET any → 143.164.101.69 any (msg:“VOILA TESTE”; sid:5000000;)

Let´s assume that i restart Suricata. If i ping that address, Suricata gives the alert just fine. But, after some minutes, if i ping the address again and again i get no alerts on Suricata.

Why does this happen?

Andreas_Herz · July 27, 2022, 11:45am

Can you tell us more about your config, how you run Suricata etc.?

noob_17 · July 27, 2022, 12:07pm

I am running Suricata on AF_PACKET on 3 interfaces that receive mirrored traffic. Maybe it has something to do with the flow-timeouts?

flow-timeouts:

  default:
    new: 30
    established: 300
    closed: 0
    bypassed: 100
    emergency-new: 10
    emergency-established: 100
    emergency-closed: 0
    emergency-bypassed: 50
  tcp:
    new: 5
    established: 300
    closed: 10
    bypassed: 100
    emergency-new: 1
    emergency-established: 5
    emergency-closed: 20
    emergency-bypassed: 5
  udp:
    new: 30
    established: 300
    bypassed: 100
    emergency-new: 10
    emergency-established: 100
    emergency-bypassed: 50
  icmp:
    new: 30
    established: 300
    bypassed: 100
    emergency-new: 10
    emergency-established: 100
    emergency-bypassed: 50

stream:
  memcap: 12gb
  checksum-validation: yes      # reject incorrect csums
  inline: no    # auto will use inline mode in IPS mode, yes or no set it statically
  prealloc_sessions: 32768
  midstream: false
  async_oneside: false
  drop-invalid: yes
  bypass: no
  reassembly:
    memcap: 6gb
    depth: 12mb                  # reassemble 1mb into a stream
    toserver-chunk-size: 2560
    toclient-chunk-size: 2560
    randomize-chunk-size: yes
    #randomize-chunk-range: 10
    raw: no
    segment-prealloc: 2048
    check-overlap-different-data: true

Same on the 3 interfaces:

  - interface: enp3s0f0
    threads: auto
    cluster-type: cluster_flow
    cluster-id: 98
    defrag: yes
    use-mmap: yes
    mmap-locked: yes
    tpacket-v3: yes
    ring-size: 100000
    #block-size: 32768
    block-timeout: 10
    use-emergency-flush: yes

lex · July 27, 2022, 12:54pm

Probably the second attempt is getting into the flow-timeout period (established flow).

Try to decrease the value in the icmp field.

noob_17 · July 27, 2022, 1:44pm

Thank you. It was the solution!

Another thing that i noticed is that the alert is logged almost instantly but the other events (e.g. netflow, tls, http logs) are only shown after ~6min after the alert is logged.

Is this normal behaviour?

IDSTower · July 27, 2022, 3:08pm

It is normal for the netflow for sure since it summarizes multiple transactions into one event and will output the log after a timeout

Topic		Replies	Views
Suricata dos rule help Help rules , suricata	4	490	August 3, 2023
I can only see the first alert of a rule Help	2	1682	December 15, 2020
Rules for 2 public IPs? Rules	1	1001	July 17, 2020
How to create ICMP alerts per packet Rules	1	296	December 1, 2023
Some match bypass? Rules rules	27	1757	September 17, 2021

Testing ping alert rule

Related Topics